OWASP Top 10 For Flutter – M7: Insufficient Binary Protection in Flutter & Dart
Welcome back to our deep dive into the OWASP Mobile Top 10 for Flutter developers.
In earlier parts, we tackled
Each is a critical piece of the mobile security puzzle.
In this seventh article, we focus on M7: Insufficient Binary Protection, a risk that doesn't hide in your code logic, network calls, or database queries. Instead, it targets something more fundamental: the compiled Flutter app itself. When you ship your app to users, you're essentially handing over a complete package of your business logic, algorithms, and sometimes your secrets too. Without proper protection, attackers can reverse engineer, tamper with, or redistribute your application as they see fit.
Majid Hajian Azure & AI advocate@Microsoft Dart & Flutter community leader Organizer@FlutterVikings, Author of http://flutterengineering.io
I've seen this vulnerability underestimated more times than I can count. Developers often assume that because Dart code gets compiled to native machine code, it's somehow "safe." The reality? It's just a different challenge for attackers, not an impossible one. Tools like Ghidra, Frida, and even Flutter-specific utilities like reFlutter make binary analysis more accessible than ever.
Let's get started.
Source Code: All code examples from this article are available as a runnable Flutter project on GitHub:
Understanding Binary Protection in Mobile Apps
What is Binary Protection?
Binary protection is about safeguarding your compiled app from being analyzed, modified, or misused. To really get why it matters, just think about what actually happens when you build a Flutter app.
Your Dart code doesn't stay as readable source code - it gets compiled into machine code for iOS or a combination of native libraries and Dart AOT(Ahead-of-Time) snapshots for Android. This compiled binary is what users download from app stores, and here's the uncomfortable truth: it contains everything:
Your business logic and proprietary algorithms
Hardcoded secrets (API keys, encryption keys—yes, even if you think you've
hidden them)
Security mechanisms (license checks, authentication flows, anti-cheat
logic)
Proprietary assets (AI/ML models, unique computational methods)
I know what you're thinking, "But it's compiled, surely that's secure enough?"I've heard that reasoning a lot. Without adequate protection, attackers can domore than you'd expect:
Why Flutter Apps Are Targets
I've been asked many times whether Flutter apps are inherently safer than React Native or web apps.
The honest answer is as I always say: it depends.
Flutter has real strengths, but also some quirks that make it a unique target.
Take Dart's Ahead-of-Time (AOT) compilation, for example. Your Dart code gets turned into native machine code before execution, unlike Just-in-Time (JIT)compilation, which happens at runtime. That's more secure than shipping plaintext JavaScript, no doubt. But it's not immune to reverse engineering.Skilled attackers with the right tools can still extract meaningful information from that compiled code.
What catches many developers off guard is where that compiled code actually lives—I'll walk you through the exact package structure in a moment, but once you see it, the need for protection becomes obvious.
The cross-platform nature of Flutter is a double-edged sword here too. Once an attacker cracks your Android app, the same techniques usually work directly on iOS—because it's the same Dart codebase underneath.
And as Flutter keeps growing in enterprise, fintech, and high-value consumer products, it's drawing more attention from attackers. That's just how it goes: the higher the stakes, the more motivated the attackers.
The Business Impact
Before we get into the technical details, I want to spend a moment on the business side of this. In my experience, binary protection is often deprioritized because it feels abstract—until something goes wrong.
According to the OWASP Mobile Top 10 (2024) — M7: Insufficient Binary Protections, insufficient binary protection can lead to significant damage across multiple dimensions:
Impact Type
Description
Example
Financial Loss
Misuse of commercial APIs, bypassed payments
Stolen API keys cost $50K/month
IP Theft
Algorithms, AI models extracted
Competitor copies your ML model
Reputation Damage
Malicious clones distributed
Fake banking app steals credentials
Revenue Loss
Pirated premium features
Pro features unlocked for free
I've personally seen startups lose months of competitive advantage because a competitor extracted their core algorithm from an unprotected APK. I've also witnessed companies face unexpected cloud bills when attackers extracted API keys and used them for their own purposes. These aren't hypothetical scenarios, they happen regularly, and they often happen to apps whose developers assumed"nobody would bother."
Flutter's Binary Architecture: Know Your Attack Surface
Before we talk about defense, we need to look at the app the same way an attacker does. I find this exercise genuinely useful, once you see what's exposed, the motivation to protect it becomes a lot more concrete.
Android APK Structure
When you run flutter build apk, Flutter produces an APK file that follows a specific structure. Understanding this structure helps you appreciate where your code ends up and why certain files are targeted:
See that libapp.so file? That's the crown jewel for attackers. It contains your entire Dart application compiled to native code. Every widget, every service class, every business logic function, it's all in there. While it's compiled to machine code (not human-readable Dart), skilled reverse engineers can still extract a surprising amount of information from it.
iOS IPA Structure
The iOS story is similar. When you archive your Flutter app for iOS distribution, the IPA contains:
Just like Android's libapp.so, the App.framework/App binary contains yourcompiled Dart code. iOS apps benefit from Apple's code signing requirements andstricter app review process, but once someone has your IPA file, they cananalyze it using the same reverse engineering techniques.
What Attackers Can Extract
Let me show you something that might make you uncomfortable. Consider this seemingly innocent code that many developers write without thinking twice:
You might think that breaking up the string or using a method makes it harder to find. It doesn't. An attacker running the strings command on your binary—or using more advanced tools like Ghidra, can easily locate these:
The tree of the folders are like:
Then you can run (on Linux or Mac)
Output: you may find many but among those you will find
It really is that simple. If you've hardcoded secrets in your Dart code, consider them already compromised the moment you publish your app.
Attack Vectors: How Attackers Target Flutter Apps
Now that we understand what's inside a Flutter app, let's examine the specific techniques attackers use. Understanding these attack vectors isn't about learning to attack, it's about knowing what you're defending against.
1. Static Analysis (Reverse Engineering)
Static analysis involves examining your app without running it. Attackers use disassemblers and decompilers to dig into your binary and understand its structure. It's like reading a book—they don't need the app to be running to learn from it.
Common Tools Used Against Flutter Apps:
Here's a look at the tools attackers commonly use. Most of these are freelyavailable and well-documented:
Tool
Platform
Purpose
That last one—reFlutter—deserves special attention. It's specifically designed to reverse engineer Flutter apps, and it's particularly dangerous because it understands Flutter's architecture:
Notice how it reveals function names like LicenseChecker.verifyPremium? An attacker now knows exactly where to look if they want to bypass your premium features.
2. Dynamic Analysis (Runtime Attacks)
While static analysis is like reading a book, dynamic analysis is like watching a movie—attackers observe (and manipulate) your app while it's running. Tools like Frida allow attackers to "hook" into your app at runtime and modify its behavior on the fly.
Here's a real example of a Frida script that could bypass a license check in aFlutter app:
The attacker doesn't need to understand your entire codebase. They just need to find the function that checks for premium access and make it always return true. With the function names exposed by static analysis, this becomes a focused attack rather than a blind search.
3. Binary Patching (Code Tampering)
Sometimes attackers don't bother with real-time manipulation, they simply modify your app's binary directly and redistribute it. This is particularly common for apps with premium features, in-app purchases, or ad-supported business models.
The steps are surprisingly simple:
Once the modified APK is created, it can be uploaded to third-party app stores, shared on forums, or distributed through other channels. Users who install these cracked versions get your premium features for free, and you lose revenue. Worse, if the attacker injected malicious code alongside the cracks, those users' devices (and your app's reputation) are compromised.
4. Real-World Attack Scenario
Let me walk you through a realistic attack scenario to make this more concrete.Imagine you've built a Flutter fintech app with premium trading features:
Here's how an attacker would compromise this:
Step 1: Use reFlutter to dump function names, discovering
TradingFeatures.isPremiumUserandTradingFeatures.executeAdvancedTradeStep 2: Use Ghidra or IDA Pro to locate the check for
isPremiumUserin the compiled binaryStep 3: Patch the conditional jump instruction to always proceed as if
isPremiumUseristrueStep 4: Repack the APK, sign it with a new key, and use it, or distribute the cracked version
The entire process might take an experienced attacker a few hours. Your premium features are now available to anyone who downloads the cracked APK.
Protecting Your Flutter Apps: Defense Strategies
Let's shift to defense. You can't make your app completely unbreakable (nothing is), but you can make attacking it significantly more difficult, time-consuming, and unreliable. The goal is to make the cost of attacking your app higher than the potential reward.
1. Code Obfuscation
Code obfuscation is your first line of defense. It doesn't prevent reverse engineering entirely, but it makes the attacker's job much harder by replacing meaningful names with gibberish and making the code structure more difficult to follow.
The good news? Flutter provides built-in obfuscation that you should always enable for release builds. It's a simple flag, but it's surprising how many developers forget to use it.
Enabling Flutter Obfuscation
Here's how to build your app with obfuscation enabled:
What does --obfuscate actually do?
It renames your classes, methods, and fields to meaningless names. The result isthat your stack traces become unreadable (without the symbol map), and reverseengineers have a much harder time understanding what each function does.
Before obfuscation:
After obfuscation:
Now, instead of immediately knowing that LicenseChecker.verifyPremium is thefunction to target, an attacker sees qR.sT() and has no idea what it doeswithout significant additional analysis.
Preserving Debug Information
"But wait," you might be thinking, "if my stack traces are unreadable, how do Idebug production crashes?"
Great question! The --split-debug-info flag is the answer. It saves the symbol mapping to a separate directory that you keep secure but don't ship with your app. When a crash occurs, you can use these symbols to translate the obfuscated stack trace back to meaningful code:
The key is to upload the debug symbols to your crash reporting service. Thisway, you see readable crash reports in your dashboard, but attackers only seeobfuscated gibberish:
Advanced Obfuscation with ProGuard (Android)
For Android, you can add an extra layer of protection using ProGuard (or R8, which is now the default). While Flutter's Dart code is obfuscated by the --obfuscate flag, any Kotlin/Java code (including plugin code) benefits from ProGuard.
Configure it in your android/app/build.gradle:
Then create android/app/proguard-rules.pro with rules to keep Flutter's necessary classes while obfuscating everything else:
Note: The directive -optimizationpasses is ignored by R8 (Android's default shrinker since AGP 3.4). R8 determines the optimal number of passes internally. If you're on a recent Android Gradle Plugin version, you're already using R8; the ProGuard format is accepted for compatibility, but R8-specific flags may differ.
See the R8 compatibility FAQ.
2. Protecting Sensitive Strings and Keys
This is perhaps the most critical section of this entire article. I cannot stress this enough: never hardcode secrets in your Dart code. Not API keys, not encryption keys, not tokens, nothing. They will be extracted.
Let's look at some alternatives, from simple to more advanced:
Using Environment Variables (Build-time)
The simplest improvement is to use Dart's String.fromEnvironment to inject secrets at build time rather than embedding them in source code:
Important caveat: While this keeps secrets out of your source code repository (a good practice for version control), the strings still end up in the compiled binary. An attacker examining your libapp.so can still find them.This approach is better for organization and CI/CD practices, but it's not a security silver bullet.
Using Native Code for Extra Protection
If you absolutely must include a secret in your app (though I'd encourage you to question whether that's really necessary), storing it in native code adds an extra layer of difficulty for attackers. Native code (C/C++) is generally harder to reverse engineer than Dart code.
Here's an example of how to set this up:
Android (Kotlin) - Create a method channel:
C++ Native Library (secrets.cpp) - Add simple obfuscation:
Dart side - Call the native method:
A word of caution: Native code makes extraction harder, not impossible. A determined attacker with Ghidra and enough time can still figure it out. This isa speed bump, not a wall.
Using Secure Remote Configuration
Here's the truth that many developers don't want to hear: the most secure approach is to never ship secrets with your app at all. Instead, fetch sensitive configuration from a secure server at runtime.
Firebase Remote Config is one popular option for this pattern:
With this approach, even if an attacker completely reverse engineers your app, they won't find the API key because it was never there to begin with. They'd have to intercept network traffic or compromise your Firebase project, both of which are significantly more difficult than extracting a string from a binary.
3. Integrity Verification and Anti-Tampering
Obfuscation and secret management are about making attack harder. But what about detecting when an attack has already happened? Integrity verification allows your app to check whether it has been modified and respond appropriately.
The idea is simple: your app knows what it should look like. If something's different, sound the alarm.
Signature Verification (Android)
Android apps are digitally signed before distribution. When you upload your appto the Play Store, it's signed with your release key. If an attacker modifies your app and re-signs it (which they must do for the modified APK to install),the signature changes.
Here's how to implement signature verification:
The Android native implementation does the heavy lifting:
App Integrity Check with Hash Verification
Beyond signature checking, you can also verify that your binary files haven't been modified by computing and comparing hash values:
This approach requires you to generate the expected hash during your build process and embed it in the app. There's an inherent chicken-and-egg problem here: the hash lives inside the binary, but computing the hash changes the binary. The standard workaround is to hash a file other than the one containing the expected value (e.g., hash libflutter.so or specific asset files), or perform the verification entirely on the server by uploading the hash at startup. A purely client-side self-check will always have this limitation.
Building a Comprehensive Integrity Service
In practice, you'll want to combine multiple integrity checks into a single service that can assess your app's overall security posture:
Here is an screenshot of decompiled app by Jadx:
4. Root/Jailbreak Detection
A rooted Android device or jailbroken iOS device gives users (and attackers)elevated privileges that bypass the normal security sandbox. On such devices, other apps can read your app's private storage, attach debuggers, and intercept communications.
Detecting these compromised environments is an important defense layer. Here's a comprehensive approach:
The Android implementation needs to check multiple indicators because advanced rooting tools like Magisk actively try to hide themselves:
5. Anti-Debugging Protection
Debuggers are powerful tools, for developers and attackers alike. In a production app, there's no legitimate reason for a debugger to be attached.Detecting debugger attachment can help identify when your app is being analyzed at runtime.
On Android, you can also detect Frida specifically, which is the tool of choice for many attackers:
Android implementation with Frida detection:
A word of caution: determined attackers can hook your anti-debugging code and make it always return "no debugger found." This is why defense in depth matters, no single check is sufficient, but multiple layers make attacks significantly harder.
6. Using freeRASP for Comprehensive Protection
Implementing all these protections from scratch is a significant undertaking. Fortunately, there are libraries that package these protections together. One excellent option for production apps is freeRASP by Talsec, which provides comprehensive Runtime Application Self-Protection.
What I appreciate about freeRASP is that it handles the cross-platform complexity for you—writing native security code for both Android and iOS is time-consuming, and getting it wrong can create false security. Here's how to integrate it:
7. Server-Side Validation: The Most Important Defense
I've saved this for last, but it's probably the most important concept in this entire article: never trust the client. No matter how much protection you add to your app, a sufficiently determined attacker can eventually bypass it.The only truly secure approach is to validate critical operations server-side.This is sometimes called the "zero trust client" principle — see the OWASP MASTG section on tampering and reverse engineering for why client-side checks alone are never sufficient.
Think about it this way: every line of code that runs on a user's device is potentially compromised. The server, on the other hand, is under your control.Here's how this plays out in practice:
Server-side validation:
Protecting Specific Assets
Before we wrap up the defensive strategies, let's talk about protecting specific high-value assets in your Flutter app. Different types of assets require different protection approaches.
Protecting AI/ML Models
If your Flutter app includes embedded AI or machine learning models (increasingly common with TensorFlow Lite or ONNX models), these represent significant intellectual property investments. An attacker who extracts your model can use it without paying licensing fees, or worse, sell it to competitors.
Here's an approach to encrypt your models:
Remember: the decryption key is still a secret that needs protection, so this loops back to our earlier discussion about not hardcoding secrets.
Protecting Business Logic
This is a philosophical point as much as a technical one. Ask yourself: does this logic need to be on the client? For critical business rules, pricing algorithms, fraud detection, premium feature gates, the answer is often "no."
Compare these two approaches:
Binary Protection Checklist
Before deploying your Flutter app, run through this checklist. I've organized it by when in your development process you should address each item:
Build-Time Protection
Enable
--obfuscateflag for all release buildsUse
--split-debug-infoand securely store symbolsConfigure ProGuard/R8 for Android
Remove debug logging in release builds
Strip symbols from native libraries
Secret Management
No hardcoded API keys or secrets in Dart code
Use
--dart-definefor build-time configurationStore sensitive keys in native code (if must be in app)
Prefer server-side secret management
Implement secure remote configuration
Runtime Protection
Implement signature verification
Add root/jailbreak detection
Include debugger detection
Use integrity checking
Consider freeRASP or similar RASP solution
Server-Side Validation
Never trust client-side license checks alone
Validate app signature on server
Implement device binding for licenses
Log and monitor suspicious activity
Rate limit API endpoints
Distribution Security
Only distribute through official stores
Monitor for unauthorized app copies
Implement app attestation
Report and take down cloned apps
Testing Your Protection
Here's something many developers overlook: you should test your own app using the same tools attackers use. This isn't about becoming a hacker, it's about validating that your protections actually work.
Tools to Test Your Own App
If you find sensitive strings or unobfuscated function names, you know you havework to do before shipping.
Automated Security Testing
You can (and should) automate these checks in your CI/CD pipeline. Here's aGitHub Actions workflow that catches common issues before they reach production:
Conclusion
If there's one thing I want you to take away from this article, it's that protecting your Flutter app's binary is an ongoing process, not a one-time checkbox. Attackers continuously evolve their techniques, and your defenses must evolve too.
Here are the key principles to remember:
Always obfuscate release builds with
--obfuscate, it's free and significantly raises the bar for attackersNever hardcode secrets, they will be extracted, it's only a matter of time
Implement defense in depth, no single protection is enough, but layers make attacks impractical
Trust the server, not the client, any code running on a user's device is potentially compromised
Test your own app with attacker tools before shipping
Consider RASP solutions like freeRASP for comprehensive protection without reinventing the wheel
Monitor and respond to security incidents—detection is as important as prevention
Remember: the goal isn't to make your app impossible to crack. That's not achievable—given unlimited time and resources, any client-side protection can be defeated. The real goal is twofold: make attacking your app expensive enough that attackers move on to easier targets, and detect attacks quickly so youcan respond before significant damage occurs.
In the next article, we'll explore M8: Security Misconfiguration, where we'll examine how seemingly innocent configuration settings can create serious vulnerabilities in your Flutter apps.
Additional Resources
Stay secure, Flutter engineers! 🛡️
Last updated
Was this helpful?